Description
Establishes System level persistence by registering a WMI Event Consumer that triggers on an interval, explicit time, on logon, or on startup. Once triggered, the script runs a SpecterInsight PowerShell cradle.
Overview
This script leverages WMI to subscribe to an event and execute Specter cradle when that event occurs, providing persistence on a system. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus will result in elevated SYSTEM privileges. There are four different triggers that can be used for persistence:
- OnStartup: Executes between 4 and 5 minutes after system startup.
- OnLogon: Executes on any user logon.
- OnInterval: Executes on an operator specified interval (e.g. every X seconds).
- OnTime: Executes at an operator local time every day.
This persistence mechanism can be installed locally or remotely by using impersonation on explicit credentials.
Arguments
| Parameter | Type | Description |
|---|---|---|
| ComputerName | string | The IP or hostname of the computer to install the persistence. |
| Username | string | The username to authenticate with. |
| Password | string | The password to authenticate with. |
| FilterName | string | The name of the WMI event filter. |
| ConsumerName | string | The name of the WMI event consumer. |
| Trigger | string | The type of event that will run a new PowerShell cradle. |
| InteralPeriod | int | The number of seconds between executions of the PowerShell cradle if using the OnInterval trigger. |
| ExecutionTime | TimeSpan | A specific time to execute the PowerShell cradle if using the OnTime trigger in hh:mm:ss format. |
| Build | string | The Specter build identifier. |
Dependencies
- None
Operating Systems
- Windows
Pre-Requisites
- High Integrity process.
Example Output
{
"Persistence": {
"Id": "babc72a228f94b1fb98d9c232d078e9b",
"Method": "WMI Event Subscription",
"Trigger": "OnInterval",
"Profile": "System",
"Event": "Create",
"Success": true,
"UninstallScript": "try {\r\n\t$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter \"Name = 'SCM Health Check Consumer'\"\r\n\t$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter \"Name = 'SCM Health Check Filter'\"\r\n\t$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query \"REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding\"\r\n\t$TimerIdToRemove = Get-WmiObject -Class __IntervalTimerInstruction -Filter \"TimerId='44631667'\"\r\n\t\r\n\t$FilterConsumerBindingToCleanup | Remove-WmiObject\r\n\t$EventConsumerToCleanup | Remove-WmiObject\r\n\t$EventFilterToCleanup | Remove-WmiObject\r\n\tif($TimerIdToRemove -ne $null) { $TimerIdToRemove | Remove-WmiObject }\r\n\t$success = $true\r\n} catch {\r\n\t$success = $false\r\n\tthrow\r\n}\r\n\t \r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"babc72a228f94b1fb98d9c232d078e9b\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t Method = \"WMI Event Subscription\";\r\n\t Profile = \"System\";\r\n\t Trigger = \"OnInterval\";\r\n\t}\r\n}",
"ConsumerName": "SCM Health Check Consumer",
"FilterName": "SCM Health Check Filter"
}
}